nixfiles/hosts/hetzner-arm/containers/mail/modules/mailserver/dovecot.nix

{
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (lib.modules) mkIf;
  inherit (lib.attrsets) mapAttrsToList;
  inherit (lib.strings) concatStringsSep optionalString;

  mailConfig = config.services.mailserver;
  vmailConfig = mailConfig.vmail;

  postfixCfg = config.services.postfix;

  dovecotRuntimeDir = "/run/dovecot2";
  passwdFile = "${dovecotRuntimeDir}/passwd";

  genPasswdScript = pkgs.writeScript "generate-password-file" ''
    #!${pkgs.stdenv.shell}

    set -euo pipefail

    ${concatStringsSep "\n" (map (userPasswdFile: ''
      if [ ! -f "${userPasswdFile}" ]; then
        echo "Expected password hash file ${userPasswdFile} does not exist!"
        exit 1
      fi
    '') (mapAttrsToList (_email: config: config.passwordHashFile) mailConfig.accounts))}

    cat <<EOF > ${passwdFile}
    ${concatStringsSep "\n" (mapAttrsToList (
        email: config: "${email}:$(head -n 1 ${config.passwordHashFile})"
      )
      mailConfig.accounts)}
    EOF
  '';
in {
  config = mkIf (mailConfig.enable) {
    services.dovecot2 = {
      enable = true;
      enableImap = true;
      enableLmtp = true;
      enableQuota = true;
      enablePop3 = false;
      enablePAM = false; # Not using PAM for Auth

      mailUser = vmailConfig.user;
      mailGroup = vmailConfig.group;
      mailLocation = "maildir:${vmailConfig.directory}/%d/%n";

      sslServerCert = mailConfig.sslConfig.cert;
      sslServerKey = mailConfig.sslConfig.key;

      # For Sieve
      modules = with pkgs; [dovecot_pigeonhole];
      protocols = ["sieve"];

      sieveScripts = {
        after = builtins.toFile "spam.sieve" ''
          require "fileinto";

          if header :is "X-Spam" "Yes" {
              fileinto "Junk";
              stop;
          }
        '';
      };

      mailboxes = {
        Trash = {
          auto = "no";
          specialUse = "Trash";
        };
        Junk = {
          auto = "subscribe";
          specialUse = "Junk";
        };
        Drafts = {
          auto = "subscribe";
          specialUse = "Drafts";
        };
        Sent = {
          auto = "subscribe";
          specialUse = "Sent";
        };
      };

      extraConfig = ''
        ${optionalString mailConfig.debugMode ''
          mail_debug = yes
          auth_debug = yes
          verbose_ssl = yes
        ''}

        service imap-login {
            inet_listener imap {
              port = 143
            }
            inet_listener imaps {
                port = 993
                ssl = yes
            }
        }

        protocol imap {
            mail_max_userip_connections = 100
            mail_plugins = $mail_plugins imap_sieve
        }

        ssl = required
        ssl_min_protocol = TLSv1.2
        ssl_prefer_server_ciphers = yes

        service lmtp {
            unix_listener dovecot-lmtp {
                group = ${postfixCfg.group}
                mode = 0600
                user = ${postfixCfg.user}
            }
        }

        recipient_delimiter = "+"
        lmtp_save_to_detail_mailbox = "no"

        protocol lmtp {
            mail_plugins = $mail_plugins sieve
        }

        mail_access_groups = "${vmailConfig.group}"

        userdb {
            driver = static
            args = uid=${toString vmailConfig.userID} gid=${toString vmailConfig.groupID}
        }

        passdb {
            driver = passwd-file
            args = ${passwdFile}
        }

        service auth {
            unix_listener auth {
                mode = 0660
                user = ${postfixCfg.user}
                group = ${postfixCfg.group}
            }
        }

        auth_mechanisms = plain login

        namespace inbox {
          separator = "."
          inbox = yes
        }

        plugin {
            sieve_plugins = sieve_imapsieve sieve_extprograms
            sieve = file:${mailConfig.sieveDirectory}/%u/scripts;active=${mailConfig.sieveDirectory}/%u/active.sieve
            sieve_default = file:${mailConfig.sieveDirectory}/%u/default.sieve
            sieve_default_name = default

            # From elsewhere to Spam folder
            imapsieve_mailbox1_name = Junk
            imapsieve_mailbox1_causes = COPY
            imapsieve_mailbox1_before = file:${./spam_sieve/report-spam.sieve}

            # From Spam folder to elsewhere
            imapsieve_mailbox2_name = *
            imapsieve_mailbox2_from = Junk
            imapsieve_mailbox2_causes = COPY
            imapsieve_mailbox2_before = file:${./spam_sieve/report-ham.sieve}

            ${optionalString mailConfig.rspamd.enable (let
          pipeBin = pkgs.stdenv.mkDerivation {
            name = "pipe_bin";
            src = ./pipe_bin;
            buildInputs = with pkgs; [makeWrapper coreutils bash rspamd];
            buildCommand = ''
              mkdir -p $out/pipe/bin
              cp $src/* $out/pipe/bin/
              chmod a+x $out/pipe/bin/*
              patchShebangs $out/pipe/bin

              for file in $out/pipe/bin/*; do
                wrapProgram $file \
                  --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
              done
            '';
          };
        in ''
          sieve_pipe_bin_dir = ${pipeBin}/pipe/bin
        '')}

            sieve_global_extensions = ${optionalString mailConfig.rspamd.enable "+vnd.dovecot.pipe"} +vnd.dovecot.environment
        }
        lda_mailbox_autosubscribe = yes
        lda_mailbox_autocreate = yes
      '';
    };

    systemd = {
      tmpfiles.rules = [
        "f ${passwdFile} 600 dovecot2 dovecot2"
      ];
      services = {
        dovecot2.preStart = ''
          ${genPasswdScript}
        '';
        postfix.restartTriggers = [genPasswdScript];
      };
    };
  };
}
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
			`}: let`
major tidy 2023-09-18 03:56:58 +01:00			`inherit (lib.modules) mkIf;`
			`inherit (lib.attrsets) mapAttrsToList;`
			`inherit (lib.strings) concatStringsSep optionalString;`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00
major tidy 2023-09-18 03:56:58 +01:00			`mailConfig = config.services.mailserver;`
			`vmailConfig = mailConfig.vmail;`
move mailserver to module 2022-11-17 12:06:16 +00:00
			`postfixCfg = config.services.postfix;`

major tidy 2023-09-18 03:56:58 +01:00			`dovecotRuntimeDir = "/run/dovecot2";`
			`passwdFile = "${dovecotRuntimeDir}/passwd";`

move mailserver to module 2022-11-17 12:06:16 +00:00			`genPasswdScript = pkgs.writeScript "generate-password-file" ''`
			`#!${pkgs.stdenv.shell}`

			`set -euo pipefail`

major tidy 2023-09-18 03:56:58 +01:00			`${concatStringsSep "\n" (map (userPasswdFile: ''`
			`if [ ! -f "${userPasswdFile}" ]; then`
			`echo "Expected password hash file ${userPasswdFile} does not exist!"`
move mailserver to module 2022-11-17 12:06:16 +00:00			`exit 1`
			`fi`
major tidy 2023-09-18 03:56:58 +01:00			`'') (mapAttrsToList (_email: config: config.passwordHashFile) mailConfig.accounts))}`
move mailserver to module 2022-11-17 12:06:16 +00:00
			`cat <<EOF > ${passwdFile}`
major tidy 2023-09-18 03:56:58 +01:00			`${concatStringsSep "\n" (mapAttrsToList (`
			`email: config: "${email}:$(head -n 1 ${config.passwordHashFile})"`
			`)`
			`mailConfig.accounts)}`
move mailserver to module 2022-11-17 12:06:16 +00:00			`EOF`
			`'';`
			`in {`
major tidy 2023-09-18 03:56:58 +01:00			`config = mkIf (mailConfig.enable) {`
move mailserver to module 2022-11-17 12:06:16 +00:00			`services.dovecot2 = {`
			`enable = true;`
			`enableImap = true;`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`enableLmtp = true;`
move mailserver to module 2022-11-17 12:06:16 +00:00			`enableQuota = true;`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`enablePop3 = false;`
			`enablePAM = false; # Not using PAM for Auth`

major tidy 2023-09-18 03:56:58 +01:00			`mailUser = vmailConfig.user;`
			`mailGroup = vmailConfig.group;`
			`mailLocation = "maildir:${vmailConfig.directory}/%d/%n";`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00
major tidy 2023-09-18 03:56:58 +01:00			`sslServerCert = mailConfig.sslConfig.cert;`
			`sslServerKey = mailConfig.sslConfig.key;`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00
			`# For Sieve`
			`modules = with pkgs; [dovecot_pigeonhole];`
			`protocols = ["sieve"];`
move mailserver to module 2022-11-17 12:06:16 +00:00
			`sieveScripts = {`
			`after = builtins.toFile "spam.sieve" ''`
			`require "fileinto";`

			`if header :is "X-Spam" "Yes" {`
			`fileinto "Junk";`
			`stop;`
			`}`
			`'';`
			`};`

			`mailboxes = {`
			`Trash = {`
			`auto = "no";`
			`specialUse = "Trash";`
			`};`
			`Junk = {`
			`auto = "subscribe";`
			`specialUse = "Junk";`
			`};`
			`Drafts = {`
			`auto = "subscribe";`
			`specialUse = "Drafts";`
			`};`
			`Sent = {`
			`auto = "subscribe";`
			`specialUse = "Sent";`
			`};`
			`};`

			`extraConfig = ''`
major tidy 2023-09-18 03:56:58 +01:00			`${optionalString mailConfig.debugMode ''`
move mailserver to module 2022-11-17 12:06:16 +00:00			`mail_debug = yes`
			`auth_debug = yes`
			`verbose_ssl = yes`
			`''}`

			`service imap-login {`
			`inet_listener imap {`
			`port = 143`
			`}`
			`inet_listener imaps {`
			`port = 993`
			`ssl = yes`
			`}`
			`}`

			`protocol imap {`
			`mail_max_userip_connections = 100`
			`mail_plugins = $mail_plugins imap_sieve`
			`}`

			`ssl = required`
			`ssl_min_protocol = TLSv1.2`
			`ssl_prefer_server_ciphers = yes`

			`service lmtp {`
			`unix_listener dovecot-lmtp {`
			`group = ${postfixCfg.group}`
			`mode = 0600`
			`user = ${postfixCfg.user}`
			`}`
			`}`

			`recipient_delimiter = "+"`
			`lmtp_save_to_detail_mailbox = "no"`

			`protocol lmtp {`
			`mail_plugins = $mail_plugins sieve`
			`}`

major tidy 2023-09-18 03:56:58 +01:00			`mail_access_groups = "${vmailConfig.group}"`
move mailserver to module 2022-11-17 12:06:16 +00:00
			`userdb {`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`driver = static`
major tidy 2023-09-18 03:56:58 +01:00			`args = uid=${toString vmailConfig.userID} gid=${toString vmailConfig.groupID}`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`}`

			`passdb {`
move mailserver to module 2022-11-17 12:06:16 +00:00			`driver = passwd-file`
			`args = ${passwdFile}`
			`}`

			`service auth {`
			`unix_listener auth {`
			`mode = 0660`
			`user = ${postfixCfg.user}`
			`group = ${postfixCfg.group}`
			`}`
			`}`

			`auth_mechanisms = plain login`

			`namespace inbox {`
			`separator = "."`
			`inbox = yes`
			`}`

			`plugin {`
			`sieve_plugins = sieve_imapsieve sieve_extprograms`
major tidy 2023-09-18 03:56:58 +01:00			`sieve = file:${mailConfig.sieveDirectory}/%u/scripts;active=${mailConfig.sieveDirectory}/%u/active.sieve`
			`sieve_default = file:${mailConfig.sieveDirectory}/%u/default.sieve`
move mailserver to module 2022-11-17 12:06:16 +00:00			`sieve_default_name = default`

			`# From elsewhere to Spam folder`
			`imapsieve_mailbox1_name = Junk`
			`imapsieve_mailbox1_causes = COPY`
			`imapsieve_mailbox1_before = file:${./spam_sieve/report-spam.sieve}`

			`# From Spam folder to elsewhere`
			`imapsieve_mailbox2_name = *`
			`imapsieve_mailbox2_from = Junk`
			`imapsieve_mailbox2_causes = COPY`
			`imapsieve_mailbox2_before = file:${./spam_sieve/report-ham.sieve}`

major tidy 2023-09-18 03:56:58 +01:00			`${optionalString mailConfig.rspamd.enable (let`
			`pipeBin = pkgs.stdenv.mkDerivation {`
			`name = "pipe_bin";`
			`src = ./pipe_bin;`
			`buildInputs = with pkgs; [makeWrapper coreutils bash rspamd];`
			`buildCommand = ''`
			`mkdir -p $out/pipe/bin`
			`cp $src/* $out/pipe/bin/`
			`chmod a+x $out/pipe/bin/*`
			`patchShebangs $out/pipe/bin`

			`for file in $out/pipe/bin/*; do`
			`wrapProgram $file \`
			`--set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"`
			`done`
			`'';`
			`};`
			`in ''`
			`sieve_pipe_bin_dir = ${pipeBin}/pipe/bin`
			`'')}`

			`sieve_global_extensions = ${optionalString mailConfig.rspamd.enable "+vnd.dovecot.pipe"} +vnd.dovecot.environment`
move mailserver to module 2022-11-17 12:06:16 +00:00			`}`
			`lda_mailbox_autosubscribe = yes`
			`lda_mailbox_autocreate = yes`
			`'';`
			`};`

major tidy 2023-09-18 03:56:58 +01:00			`systemd = {`
			`tmpfiles.rules = [`
			`"f ${passwdFile} 600 dovecot2 dovecot2"`
			`];`
			`services = {`
			`dovecot2.preStart = ''`
			`${genPasswdScript}`
			`'';`
			`postfix.restartTriggers = [genPasswdScript];`
			`};`
move mailserver to module 2022-11-17 12:06:16 +00:00			`};`
tidy files, switch to alejandra for formatting, add private aliases to mailserver 2022-12-04 13:45:43 +00:00			`};`
move mailserver to module 2022-11-17 12:06:16 +00:00			`}`